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Seamless Cross-Site User Authentication Status Detection 

and Automatic Login 

BACKGROUND OF THE INVENTION 

5 

TECHNICAL FIELD 

The invention relates generally to online user network authentication status 
detection. More particularly, the invention relates to a system and method for 
10 determining in a global network the user network authentication status as the user 
goes from site to site, and providing a transparent/implicit multi-site logon including 
automatic introduction from one site to the other. 

DESCRIPTION OF THE PRIOR ART 

15 

In the world of computer networks and computer network systems, for executing 
applications on a computer, the application often requires users to authenticate 
themselves prior to performing any actions to prevent unauthorized access. 
Typically, a user provides identification by a user name and password combination, 
20 and may have to supply other information such that the user can create and later 
access a private account on a merchant's site. 

Prior art mechanisms for cross-network single sign-on, such as Microsoft Passport 
( www.passport.com ) and AOL Screen Name Service (my.screenname.aol.com), 
25 require partner sites in the network to direct the user's browser to the central 
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authentication Web site in order to obtain the user's network authentication status. 
In a global network including partner sites and non-partner sites, it would be 
advantageous to provide a secure and efficient apparatus and process for partner 
sites to automatically and independently determine if a user has signed into the 
5 global network without the user's browser having to interact with the central 
authentication site. 



SUMMARY OF THE INVENTION 



10 A system and method for determining in a global network the user status as the user 
goes from site to site within the network is provided. Additionally, the system and 
method provides for transparent or implicit multi-site logon functionality, including 
automatic introduction from one site to the other using a baseline authentication 
agency. The system and method provides an architecture for a core global network 

15 (referred to herein as NET) that incorporates some or all of the following features 
and components: a set of baseline authentication agencies responsible for the core 
global network (NET) services, such as login and user-selected service-provider 
lookup; a NET and associated DNS records used for cookie sharing, login routing, 
and the like; and a collection of partner sites accessible via the NET. 

20 

In the preferred embodiment of the invention, the baseline authentication agency 
(referred to herein as BAA) manages a subset of the NET user namespace and 
provides core NET services such as authentication for NET users. The baseline 
authentication agency supports authentication of NET id's via corresponding 
25 passwords or other authentication credentials. After authenticating a user, the 
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baseline authentication agency writes its BAA identification (BAA id) along with an 
authenticated status of true into a cookie that it sets in a shared domain that can be 
accessed by NET partner sites. 



5 When an authenticated NET user visits a NET partner site, the NET partner site 
accesses the shared domain cookie to determine the user's network authentication 
status and baseline authentication agency. If the user is already authenticated into 
the network, the NET partner site may then redirect the user's browser to the 
authentication agency's Web site to request NET id information for the user. The 

10 baseline authentication agency distinguishes between sites that have been linked 
and that have a trust relationship with the user and ones that have not been linked. 
The baseline authentication agency returns the user's NET id information to the 
partner site if it's a linked site, thereby performing a seamless authentication. If the 
site is not linked, the baseline authentication agency returns an authentication error 

15 indication. 

When a NET user logs out of NET, the user's baseline authentication agency resets 
the user's authenticated status to false in the shared domain cookie. 



20 When an unauthenticated NET user visits a NET partner site, the NET partner site 
attempts to access the shared domain cookie and either does not find the cookie at 
all, or sees that the authenticated status is false. In either case, the NET partner site 
sees that the user is not authenticated into NET and thus does not allow access. 



25 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic diagram of the components and their respective relationships of 
an architecture for a core global network for detecting user status according to the 
5 invention; 

Fig. 2a is a flow diagram of a realized NET partner site seamless user authentication 
detection and automatic login according to the invention; 

10 Fig. 2b is a flow diagram of a realized NET partner site seamless user authentication 
detection and automatic login according to the invention; and 

Fig. 3 is global network architecture component interaction diagram according to the 
invention. 

15 

DETAILED DESCRIPTION OF THE INVENTION 

A system and method for determining in a global network the user status as the user 
goes from site to site within the network is provided, and can be described with 

20 reference to Fig. 1 . Additionally, the system and method provides for transparent or 
implicit multi-site logon functionality, including automatic introduction from one site to 
the other using a baseline authentication agency. The system and method provides 
an architecture for a core global network 100 (referred to herein as NET) that 
incorporates some or all of the following features and components: a set of baseline 

25 authentication agencies 102 responsible for the core global network (NET) services, 

4 
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such as login and user-selected service-provider lookup; a NET domain 104 and 
associated DNS records 106 used for cookie sharing, login routing, and the like; and 
a collection of partner sites 108 accessible via the 104 NET domain. 



5 In the preferred embodiment of the invention, the baseline authentication agency 102 
(referred to herein as BAA) manages a subset of the NET user namespace and 
provides core NET services for NET users. The baseline authentication agency 102 
supports authentication of NET id's via corresponding passwords or other 
authentication credentials. After authenticating the credentials, the baseline 

10 authentication agency 102 writes its BAA identification (BAA id) along with an 
authenticated status of true into a cookie 110 of the shared domain 104 that is 
accessed by NET partner sites 108. It should be appreciated that both partner sites 
and BAAs have unique NET identifiers. For example, such identifiers can be 
referred to uniformly as "NET ids", or as "partner NET ids" and "BAA NET ids", 

15 respectively. 



When an authenticated NET user visits a NET partner site 108, the NET partner site 
108 accesses the shared domain cookie 110 to determine the user's baseline 
authentication agency 102. The NET partner site 108 then redirects the user's 

20 browser to the authentication agency's Web site 102 to request NET. id information 
for the user. The baseline authentication agency 102 distinguishes between sites 
that have been linked and that have a trust relationship with the user and ones that 
have not been linked. The baseline authentication agency 1 02 returns the users 
NET id information to the partner site 108 if it's a linked site, thereby performing a 

25 seamless authentication. If the site is not linked, the baseline authentication agency 
102 returns an authentication error indication. 

5 
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When a NET user logs out of NET, the user's baseline authentication agency 102 
resets the user's authenticated status to false in the shared domain cookie 110. 

5 When an unauthenticated NET user visits a NET partner site 108, the NET partner 
site 1 08 attempts to access the shared domain cookie 110 and either does not find 
the cookie at all, or sees that the authenticated status is false. In either case, the 
NET partner site 108 sees that the user is not authenticated into NET and thus does 
not allow access. 

10 

Design Goals 

In this section is a discussion of some of the design goals considered for the 
preferred embodiment of the invention. 

15 

The preferred embodiment of the invention provides an architecture for a system that 
is sufficiently decentralized to enable a global network (also referred to herein as 
NET) to assemble a strong partnership of large namespace-owning companies, or 
baseline authentication agencies (BAAs). 

20 

The preferred embodiment of the invention provides means for minimizing barriers to 
adoption, and routine use of NET'S services, by: 

■ existing users of NET'S membership company products; 



i5 
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■ enabling a seamless membership of interoperable authentication agencies and 
their associated user bases; 

■ users without existing NET partnership company ties; and 

5 

■ potential global network affiliates, such as companies operating Web sites and 
Web services. 

The preferred embodiment of the invention provides means for providing user 
10 flexibility in privacy controls. 



The preferred embodiment of the invention provides the following architectural 
15 strategy for achieving the above goals by using the following elements, each element 
discussed in a section by the same name herein below: NET Accounts and GUIDs, 
Baseline Authentication Agencies, and Decentralization of Core NET Functionality 

NET Accounts and GUIDs 

20 

The strategy for addressing the "frictionless service portability" goal, which also 
provides privacy of the NET login ids (communication addresses), provides a 
globally unique identifier (GUID) for each NET user account. Such id is essentially a 
global network account number that will be largely or fully unknown to a user. 



Strategy and Key Concepts 



25 
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It should be appreciated that a GUID may have more than one associated global 
♦network login id. 



Also, this GUID, and not the user NET LID, is the primary key with which the global 
5 network user data records are indexed. With such approach, users are free to 
change their respective NET LIDs. For example, a user can switch from a first ISP's 
email LID to a second ISP's LID for authentication and communication services 
(foo@baa1.com -> foo@baa2.com) without losing their respective global network 
account and everything associated with it throughout the global network. 

10 

For privacy reasons, only the GUID and the name of the authenticating agency are 
shared with third party sites unless the user opts-in to distributing the global network 
LID. In general, unless a user has established a trust relationship or linkage with a 
third party site, not even the GUID is made available to the site. 

15 

Decentralization of Core Global Network (NET) Functionality 

It is undesirable to a candidate global network BAA for the global network 
architecture to have a significant centralization of authentication, wherein global 
20 network servers operated by other global network BAAs would have to be depended 
on and/or are able to track logins to a given global network BAA, such as the 
candidate global network BAA. 

It is also undesirable to a candidate partner site for the global network to depend on 
interaction with a global network server to determine the network authentication 
25 status of users who visit the candidate site. Hence a decentralization requirement 
imposed on the architecture is to enable partner sites in the network to 
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autonomously determine the network authentication status of users who visit, without 
having to direct users to a global network server in order to accomplish this. 
The design strategy for addressing such requirements according to the preferred 
embodiment of the invention is as follows: 

5 

■ Propagate selected global network user information to global network partner 
sites by setting cookies on a global network domain, e.g. partners.net.org, for which 
each partner has an entry, e.g. books.com.partners.net.org, such that partners can 
fetch such data without hitting any centralized global network server, e.g. a server 

1 0 operated by one of the BAAs. 

■ Store baseline global network user account data at the user's owning BAA, vs. at 
a central global network location. 

15 Architecture Components 

The global network architecture includes the following components: 

■ A set of baseline authentication agencies (BAAs) that are responsible for core 
20 global network services, such as user authentication and user-selected service- 
provider lookup. 

■ A global network domain, e.g. net.org, and associated DNS records for use in 
cookie sharing, login routing, etc. 

25 

9 
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■ A collection of partner sites, also known as consumer services, accessible via the 
global network. 

These components of the global network architecture are further described in detail 
5 herein below 

Baseline Authentication Agencies (BAAs) 

In the preferred embodiment of the invention, BAAs are the backbone of the global 
10 network. They collectively manage the global network namespace and provide core 
global network services, such as basic login, account maintenance, service 
subscription management and lookup, etc. for global network users. Following is an 
example of a BAA's responsibilities. 

15 The baseline authentication agency supports authentication of global network ids via 
corresponding passwords or other authentication credentials. After authenticating 
the user, the BAA creates and signs authentication credentials for a given user, and 
deposits such credentials in a centralized domain. 

20 ■ Underlying data: The BAA has, at a minimum, one record per-global network id, 
the record containing a) the global network login id (NET LID); b) a corresponding 
global network GUID; c) privacy option regarding sharing global network login id with 
a linked site, such as a partner site; and d) information sufficient to authenticate the 
user, e.g. a hashed copy of the user's password. 

25 
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The BAA needs to be able to distinguish between a partner site that has been linked, 
i.e. established a trust relationship with the user, and one that has not yet been 
linked. For linked sites, the global network id information for a logged in user is 
implicitly shared as the user visits or surfs to the partner site. For an unlinked site, 
the user is anonymous relative to the global network when visiting the site. 

■ Underlying data: on a per global network id basis, the BAA maintains a list of all 
partner sites that have been linked by the user to the global network id. 



Global Network Domain 



In the preferred embodiment of the invention, the global network owns and operates 
an Internet domain, i.e. the NET domain, such as net.org. This NET domain is used 
as the destination domain for cookies that need to be shared among global network 
BAAs and/or shared among global network partner sites. The login model herein 
discussed calls for a cookie to be made available to all global network partners by 
being set on the NET domain or a subdomain thereof, e.g. partners.net.org, and 
giving each partner a DNS entry on a subdomain thereof, e.g. 
aol.com.partners.net.org. 

The NET domain is also used to facilitate routing of login credential submissions to 
the proper BAA for the user, as described in United States Patent Application Ser. 
No. 10/086,104, filed February 26, 2002. 



Example Implementation 
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This section describes in detail an example implementation according to the 
preferred embodiment of the invention. It should be appreciated that the particular 
implementation is by example only, and that other implementations are possible and 
within the spirit and scope of the invention. The sample implementation can be 
5 described with reference to Figs. 2a and 2b, a flow diagram of a realized NET 
partner site seamless user authentication detection and automatic login. 

Step 1. User navigates to NET partner site abc123.com's home page, which 
the user's browser requests (200). 



an JavaScript tag that instructs the browser to fetch abc123.com's seamless NET 
login JavaScript page from abc123.com's subdomain on the shared NET domain 
and to subsequently detect and process auto-generated login ticket returned by 
15 user's BAA. (201) 



10 



Step 2. 



abc123.com's server returns abc123.com's home page, which contains 



Step. 3 Browser requests abc123.com's seamless NET login JavaScript page, 
and passes along the user's shared NET login cookie, if any. (202) 



20 Step 4. 



abc123.com's server examines the browser request to see if a NET 



login cookie is available. (203) 



Step 5. abc123.com's server examines the user's NET login cookie to see if 
the user's login status is "true", i.e., the user is currently logged in. (204) 



25 
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Step 6. eibc123.com server returns an HTTP redirect to the ticket-generating 
URL configured for the user's BAA, as indicated in the NET login cookie. (205) 



Step 7. Browser follows redirect and requests BAA's ticket-generating URL, 
5 passing along abc123.com's NET id and user's BAA login cookies. (206) 

Step 8. BAA's server inspects user's BAA login cookies to ensure they're valid, 
e.g., by checking their timestamp, checksum values, etc. (207) 

10 Step 9. BAA's server checks its database records to see if user has previously 
authorized seamless login to abc123.com. (208) 

Step 1 0. BAA generates abd 23.com login ticket for user and returns JavaScript 
code containing the ticket. (209) 

15 

Step 11. JavaScript code returned to browser in step 201 detects the login 
ticket, assigns the ticket value to a hidden form field in abc123.com's home page, 
and auto-submits the form to continue the seamless login. (210) 

20 Step 12. abc123.com server receives the ticket from the browser and issues a 
server-to-server request to BAA's ticket-validating URL. (21 1) 

Step 13. BAA server validates the ticket, e.g., by checking its embedded 
timestamp, checksum values, etc. (212) 

25 

Step 14. BAA server returns the user's NET GUID. (213) 

13 



WO 2004/006499 



PCT/US2003/021244 



Step 15. abc123.com server receives the user's NET GUID and looks it up in its 
database to find the user's corresponding abd 23.com user id, then logs the user in 
as that abc123.com user id. (214) 

5 

Step 16. abc123.com server returns JavaScript in which the partner ticket 
variable is set to "0" to indicate that no ticket is available. (215) 

Step 17. BAA server returns JavaScript in which the partner ticket variable is set 
10 to "0" to indicate that no ticket is available. (216) 

Step 18. Browser detects that no partner ticket has been returned, hence aborts 
the seamless NET login processing and leaves abc123.conVs home page (returned 
in step 201) displayed to the user. (217) 

15 

The example partner site implementation consists of the following files, the contents 
of which are listed below. 

■ abcHomePage.htm - an example partner site home page that implements 
20 seamless user status detection and auto-login. 

■ statusDetect.jsp - an example partner site dynamic server page, written in 
JavaServerPages syntax, that detects and acts upon user's login status based on 
NET login status cookie. 

25 

14 
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Table A below shows an example html file for the home page of the partner site 
according to the invention. 



1 <html> 

2 <head> 

3 <title>abcl23 . com home page</title> 
4 

5 <script> 

6 var partnerTicket=0; 

7 // Function to be invoked after page, incl. embedded JavaScript file, loads 

8 function onLoadO { 

9 // Got ticket? 

10 if (partnerTicket != 0) { 

11 // yes — auto-submit to abcl23.com 1 s seamless login handler 

12 document, forms . autologin. ticket, value = partnerTicket; 

13 document . forms . autologin . submit ( ) ; 

14 } 

15 } 

16 </script> 

17 </head> 
18 

19 <body onLoad="onLoad() ; return false;"> 

20 Welcome to abcl23.com! 
21 

22 <p>Guest, please <a href= n loginForm. jsp">login</a>. 
23 

24 <script src="http : //abcl23 . com. partner . net . org/statusDetect . j sp"></script> 
25 

26 <form name*" autologin" action="autoLogin.htm"> 

27 <input type="hidden" name="ticket" value="0 ,f > 

28 </form> 
29 

30 </body> 
31 

32 </html> 



Table B below shows an example JavaScript program segment for detecting a user's 
status according to the invention. 



Table A 



abcHomePage.htm: 
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statusDetect.jsp: 

1 <%@ page language*" java" 

2 import=" j ava . net . * , j ava . io . * , j ava . util . * , j avax . servlet . http . * n 

3 %> 
4 

5 <% 

6 // Find netLoginStatus cookie value, if any 

7 Cookie cookies [] - request. getCookies () ; 

8 boolean found ** false; 

9 String status = null; 
10 String baald - null; 
11 

12 for (int i=0; (i<cookies. length) && ! found; i++) { 



13 found = cookies [ i] . getName ( ) . equals ( "netLoginStatus" ) ; 

14 if (found) { 

15 // value is of form <status>-<BAAId> 

16 String val - cookies [i] .getValue () ; 

17 int sepPos = val .indexOf ("-") ; 

18 status = val. substring (0, sepPos); 

19 baald = val. substring (sepPos+1) ; 

20 } 



21 } 
22 

23 // Found cookie and user logged in? 

24 if (found && status . equals ("true") ) { 



25 // Yes 
26 

27 // Lookup BAA 1 s ticket-generating URL 

28 String baaUrl - ""; 

29 if (baald. equals ("baal") ) { 
30 

31 baaUrl - "http://login.baal.partner.net.org/ticketGen7siteId-abcl23.com"; 

32 } else if (baald. equals ("baa2") ) { 

33 baaUrl = "http://auth.baa2.partner.net.org/tg7siteId-abcl23.com"; 

34 }//... 
35 

36 // Redirect to BAA's ticket-generating URL 

37 response . sendRedirect (baaUrl ) ; 

38 } else ( 

39 //No — render login button 

40 out.println("<a href=A"loginForm. jsp\">Login</a>") ; 

41 ) 



Seamless Login Example 
16 
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This section illustrates interactions when the user visits a global network partner site 
after previously logging into the global network during the same session, and can be 
described with reference to Fig. 3, a global network architecture component 
interaction diagram. 

The following steps are meant by example only, and other ways of achieving the 
same results are within the scope and spirit of the invention. 



Stepl. User clicks on a site that has been bookmarked, such as 
10 "auction - ! 23.com", and the browser requests the auction123.com home page. (301) 



The returned auction123.com home page (302) includes a JavaScript SRC= tag 
which tells the browser to fetch an auctionl 23.com-served JavaScript file from 
auction123.com.partners.net.org as well as other JavaScript code that is used herein 
15 below. (303) 

Step 2. The auction123.com server on partners.net.org gets a NET_BAA 
cookie and thus knows that a seamless global network login for such user is 
possible, i.e. if they have previously linked their auction123.com/global network 
20 accounts and opted into the auto-login feature. (303) 

Step 3. The auction123.com server uses the baseline authentication agency 
domain from the NET_BAA cookie, aol.com.auth.net.org in this case, to formulate 
the URL to the BAA's login token-generation service, and returns an HTTP redirect 
25 to this URL. (304) 



17 



WO 2004/006499 




PCT/US2003/021244 



Step 4. The browser fetches aol.com's login token generation service URL, 
passing auction123.com's global network site id. (305) 

Step5. The BAA (aol.com) server receives the token-generation request 
5 including site id, as well as the user's NET credential cookies previously sent to the 
browser. 

It checks to see if 1) the site id is known or valid; 2) the user's credentials are valid; 
and 3) the user has authorized seamless login to that site. Because all conditions 
10 are true in this case, it generates and returns a JavaScript snippet containing a 
short-lived, auction123.com specific, encrypted global network login token bound to 
a JavaScript variable, such as "netLoginTok". (306) 

Step 6. The auction123.com's, original page served in Step 1 above, includes 
15 JavaScript that sees if the JavaScript variable, netLoginTok has a value. When the 
step fails, then netLoginTok has no value. 

In the case netLoginTok has a value, then the auction123.com JavaScript code 
proceeds with the seamless global network login processing as follows: 

20 

The JavaScript code writes out an HTML form that includes the global network login 
token as a hidden field and the auction123.com global network login handler as the 
action (target URL). It then auto-submits the form such that the browser POSTS the 
form to the auction123.com global network login handler URL on auction123.com. 
25 (307) 
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Step 7. The auction123.com server requests mapping of login token -> account 
number. (308) 



The aol.com (BAA) server decrypts the login token and performs a series of 
validation checks on it, such as: not expired and if the IP of requesting 
auction123.com server is in allowed list for site id = auction123.com. 

The validation checks pass and the aol.com server returns the user's global network 
account number to the auction123.com server. (309) 

Step 8. The auction123.com server maps user's global network account 
number to their auction123.com record, and proceeds to log user in as usual, setting 
auction123.com cookies, etc., and returns a personalized welcome page. (310) 

Accordingly, although the invention has been described in detail with reference to 
particular preferred embodiments, persons possessing ordinary skill in the art to 
which this invention pertains will appreciate that various modifications and 
enhancements may be made without departing from the spirit and scope of the 
claims that follow. 
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CLAIMS 



1 . An apparatus for determining in a global network the user status as the user 
5 goes from site to site within said network, said apparatus comprising: 

a set of baseline authentication agencies responsible for core global network 
authentication services; 

a global network domain and associated DNS records used for cookie 

sharing, login routing, and the like; and 
10 a collection of partner sites with access to cookies shared via said global 

network domain. 

2. The apparatus of Claim 1 , wherein a baseline authentication agency of said 
set of baseline authentication agencies: 

15 provides authentication services for a subset of the users of the global 

network after authenticating a user, writes a site identification along with an 
authenticated status of true into a cookie of said global network domain shared and 
accessible by said collection of partner sites; and when a global network user logs 
out of said global network, resets the user's authenticated status to false in said 

20 shared domain cookie. 

3. The apparatus of Claim 2, further comprising 

means for when an authenticated global network user using a browser visits a 
partner site of said collection of partner sites, said partner site accessing said shared 
25 domain cookie to determine the user's baseline authentication agency; 
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means for said partner site redirecting said user's browser to said baseline 
•authentication agency to request global network id informational of the usen 

wherein said baseline authentication agency distinguishes between sites that 
have been linked and that have a trust relationship with the user and ones that have 
5 not been linked; and 

means for said baseline authentication agency returning said global network 
id informational of the user to said partner site if if s a linked site, thereby performing 
a seamless authentication, and if said site is not linked, said baseline authentication 
agency returning an authentication error indication. 

10 

4. The apparatus of Claim 2, further comprising: 

means for when an unauthenticated global network user visits a global partner 
site, said global network partner site attempting to access said shared domain cookie 
and either not finding said cookie at all, or determining that said authenticated status 
15 is false; and 

wherein in either case, said global network partner site determining that a 
user is not authenticated into the global network and thus not allowing access for 
said user. 

20 5. The apparatus of Claim 2, further comprising a globally unique identifier for 
each global network user account, wherein said globally unique identifier is a primary 
key with which global network user data records are indexed, and wherein for 
privacy reasons, only said globally unique identifier and a name of an associated 
baseline authenticating agency are shared with third party sites unless a user opts-in 

25 to distributing said global network login id. 
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6. The apparatus of Claim 1 , further comprising means for decentralizing core 
global network functionality, said means for decentralizing further comprising: 

means for propagating selected global network user information to global 
network partner sites by setting cookies on a global network domain for which each 
partner has an entry, such that partners can fetch said data without hitting any 
centralized global network server. 



7. A method for an existing global network user using a browser and having a 
global network account logging onto a global network partner site without preexisting 

10 authentication, said user having an account on said partner site, wherein said user 
account has an account number, and wherein said user previously authorized said 
global network to seamlessly log said user into said partner site, said method 
comprising the steps of: 

said user authenticating itself to a baseline authentication agency associated 

15 with the user, via any suitable method allowed by said baseline authentication 
agency and said global network; 

said baseline authentication agency setting values of a plurality of shared 
cookies, said plurality of cookies set on a partner-site-accessible subdomain of a 
global network domain, thereby readable by said baseline authentication agency and 

20 all global network partner sites, said plurality of shared cookies comprising, but not 
limited to: 

a shared network login status cookie containing both the user's global 
network login status, and the network id of the user's baseline authentication agency; 
said baseline authentication agency setting values of a plurality of private 
25 cookies, set on a private domain only accessible by said baseline authentication 
agency, said plurality of private cookies comprising, but not limited to: 
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one or more global network credential cookies; 

said baseline authentication agency generating a short-lived, partner-specific, 
encrypted login token and returning it to the browser as a hidden input field in an 
auto-submitting input form; 

said browser processing said auto-submitting input form returned by said 
baseline authentication agency and submitting sad login token to a partner site's 
login handler; 

said partner site performing a server to server token validation request to said 
baseline authentication agency by passing said login token; 

said baseline authentication agency validating said login token and returning 
the user's global network account number to the partner site; and 

said partner site mapping the user's global network account number to a 
corresponding login id on said partner site, proceeding to log in, setting 
corresponding cookies on said partner site, and returning a personalized welcome 
page to said browser. 

8. The method of Claim 7, wherein at least one cookie of said plurality of cookies 
serves as a flag to said partner sites indicating that the user is logged into the global 
network. 

9. The method of Claim 7, wherein said global network server generates a short- 
lived, partner site-specific, encrypted global network login token, and wherein a 
response of said global network server comprises a redirect instruction to said 
partner site global for a network login handler, and wherein said redirect instruction 
comprises said global network login token. 
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10. A method for a user on a global network using a browser visiting a partner 
Web site, wherein said partner Web site is a linked and seamlessly login enabling 
global network site, during an ongoing session, said method comprising the steps of: 
said user selecting said partner Web site and said browser requesting a home 
5 page of said partner Web site, wherein said home page of said partner Web site 
comprises a JavaScript tag telling said browser to fetch a partner site-served 
JavaScript file from said partner site server, as well as fetch other relevant 
JavaScript code; 

said partner Web site server obtains a network login status cookie on a global 
10 network domain, thereby determining said user's global network login status and 
BAA; 

said partner Web site using a BAA id from said network login status cookie for 
formulating a URL to a login token-generation service of said associated 
authentication agency domain, and returning an HTTP redirect to said URL; 
15 said browser fetching said URL, and passing a global network site id of said 

partner Web site; 

said associated authentication agency domain receiving said token- 
generation request including said site id, as well as any corresponding user global 
network credential cookie previously sent to the browser; 
20 said partner Web site's home page comprising a particular JavaScript code 

and using said particular JavaScript code for determining a JavaScript login-token 
variable has a value, wherein if said login-token variable has said value, then said 
proceeds with a seamless global network login processing; 

said partner Web site requesting mapping of said login-token variable to an 
25 user global network account number; 
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said global network server decrypting said login-token variable and performing 
validation checks on said login-token variable, said checks comprising, but not 
limited to: not expired and if an associated IP of said requesting partner Web site is 
in an allowed list, and if said validation checks pass, then said global network server 
returning said global network account number to said partner Web site; and 

said partner Web site mapping said user's global network account number to 
a corresponding partner Web site record, logging user in, setting cookies of said 
partner Web site, and returning a personalized welcome page. 

1 1 . The method of Claim of 1 0 further comprising the steps of: 

said associated authentication agency domain checking if the site id is known 
or valid, if said user's credentials are valid, and if the user has authorized seamless 
login to said partner Web site. 

12. The method of Claim of 10, said seamless global network login processing 
further comprising the steps of: 

said JavaScript code writing out an HTML form comprising said global 
network login token as a hidden field and writing out a partner Web site global 
network login handler as an action URL, and auto-submitting said form such that 
said browser posts said form to said partner Web site global network login handler 
URL on said partner Web site. 
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